Security researchers detail Hermit spyware on Android and iOS

Daniel Sims

Posts: 518   +20
In brief: Governments around the world increasingly deploy mobile spyware in response to civil strife. Reports from Google and Lookout Threat Lab describe multiple spyware campaigns undertaken through Italian company RCS Labs. In some cases, ISPs helped distribute its "Hermit" spyware, which the company can sideload onto iPhones.

A report from Google's Threat Analysis Team describes how Italian company RCS Labs distributes its Hermit spyware on behalf of clients which include national governments. It aligns with Lookout Threat Lab's report from earlier this month.

Attackers distribute Hermit through SMS links leading to fake web pages impersonating real companies, like a Facebook account recovery page or a support page for Chinese tech company Oppo. The pages might ask users to download apps that deliver the spyware.

However, in some cases, the target's ISP might cooperate with attackers by disabling the target's internet service. The target then receives a message with a link to restore service which installs Hermit.

Examples of fake web pages that distributed Hermit spyware

Through drive-by downloads and multiple known exploits, RCS can sideload apps containing Hermit onto iOS devices because the company is part of the Apple Developer Enterprise Program. The apps never appear on the Apple App Store but have legitimate iOS certificates and run within the iOS app sandbox. Similar drive-by downloads are possible on Android if users enable sideloading, and the apps never appear on Google Play.

Google and Lookout detected Hermit's deployment most notably in Kazakhstan. Lookout also noticed it in Kurdish areas of Syria and found RCS has connections to the governments of Vietnam, Myanmar, Pakistan, Chile, Mongolia, Bangladesh, and Turkmenistan.

To avoid spyware, users should keep their mobile devices updated, avoid suspicious or unknown links, be cautious when installing new apps, and occasionally review their apps.

Permalink to story.



Posts: 1,123   +822
Seems odds are stacked against the recipients.
I was chatting with my son the other day about security in big Corps . Said it was very hard when multiple people involved - When one person rips off a company for millions in fake invoices - it's poor security .

So weird Android need side loading
Apple they are signed apps ???? how does that work?

I don't do sideloading - if I did - it would be on a wifi only phone - for a specific purpose - eg if I wanted to program NFC chips for games ( never done it - but believe such apps need to be sideloaded - most of us have old phones around )


Posts: 1,223   +271
Out of so many times sideloading apks, there's only one time I got a message that an app was blocked by play protect and it needs the user to click "install anyway".

Google could've added hermit into the play protect blocklist and at least users will be notified again. if they insist, it's on them. I don't think Google is interested in working with them anyway because Google already can see everything once you sign in your google account in android.


Posts: 148   +102
So weird Android need side loading
Apple they are signed apps ???? how does that work?

Security at Apple has always bin a high priority. Apps you can only get by appstore, and apps are required to be "tight" or "strict". Google on the other hand was a mess and many malware was provided by side-loading. It needs to end.

And as faking invoicing; as long as that person is working at administration and verifies the outgoing payments it will last untill a clever accountant eventually picks up.